Vulnerability Details : CVE-2021-30167
The manage users profile services of the network camera device allows an authenticated. Remote attackers can modify URL parameters and further amend user’s information and escalate privileges to control the devices.
Products affected by CVE-2021-30167
- cpe:2.3:o:meritlilin:p2r8852e2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r8852e4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r6852e2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r6852e4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r6552e2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r6552e4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r6352ae2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r6352ae4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r3052ae2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2g1052_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r8822e2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r8822e4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r6822e2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r6822e4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r6522e2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r6522e4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r6322ae2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r6322ae4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2r3022ae2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2g1022_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p2g1022x_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z2r8852ax_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z2r8152x-p_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z2r8152x2-p_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z2r8052ex25_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z2r6552x_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z2r6452ax_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z2r6452ax-p_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z2r8822ax_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z2r8122x-p_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z2r8122x2-p_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z2r8022ex25_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z2r6522x_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z2r6422ax_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z2r6422ax-p_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p3r6322e2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p3r6522e2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:p3r8822e2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z3r6422x3_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z3r6522x_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:meritlilin:z3r8922x3_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-30167
0.73%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-30167
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
TWCERT/CC |
CWE ids for CVE-2021-30167
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: twcert@cert.org.tw (Secondary)
References for CVE-2021-30167
-
https://www.chtsecurity.com/news/0b733a38-e616-4ff3-86a6-13e710643388
CHT Security Red Team Discovered Several Vulnerabilities in Well-Known IP Camera|中華資安國際 CHT Security Co., Ltd.Third Party Advisory
-
https://www.meritlilin.com/assets/uploads/support/file/M00166-TW.pdf
Vendor Advisory
-
https://gist.github.com/keniver/86ebef688fb274b534da51ef1a84dd3e
LILIN IP Camera P2 Z2 Multiple Vulnerabilities.md · GitHubThird Party Advisory
-
https://www.twcert.org.tw/tw/cp-132-4676-391a5-1.html
TWCERT/CC台灣電腦網路危機處理暨協調中心-利凌企業 P2/Z2/P3/Z3系列網路攝影機 - Command InjectionNot Applicable
Jump to